There’s been some smart phishing campaigns running over the last few weeks, and this one is particularly sneaky. Bleeping Computer reports that a phishing page is targeting Greek taxpayers with a tax refund scam. The added sting in the tail comes in the form of an embedded keylogger which grabs everything entered onto the page.
An untimely tax refund
The phishing mails rely on that time-honoured tradition of bogus tax returns and non-existent refunds. The landing page, which mimics an official gov.gr portal, reads as follows:
The Hellenic Tax Office has calculated your tax return, you are entitled to a tax refund of Є634.13 (around $633 USD). We have tried to transfer the amount to your account. Unfortunately we were unable to confirm your current account number.
What follows is a drop-down form where the victim can select their bank and “log into the portal”. According to researchers at Cyble, there are several URLs being used to phish victims and they all do a decent job of imitating the real deal. Multiple major banks are listed in the drop-down menu, and the bogus bank pages closely resemble the real thing. Unfortunately for site visitors, this is where the previously mentioned sting in the tail comes into play.
A sneaky way to grab data
Phishing sites typically rely on the visitor hitting the submit button to send their personal information into the hands of the scammers. If someone realises something isn’t quite right at the last minute and abandons ship, the scammers are left with nothing.
What can you do?
Tools used to block third-party trackers reportedly aren’t effective against this kind of embed. With that being the case:
Tax refunds are rather rare for most people, so question the authenticity of such a claim should you receive one. Contact your local tax authority directly. Many host an up-to-date list of common and current tax scams, which may help to answer your question before you’ve even picked up the phone.
Rogue attachments are common where fake tax refunds are concerned. If you happen to open a file from someone you weren’t expecting, don’t disable your software’s “read only” mode or its closest equivalent. Steer clear of enabling Macros, too.
Malwarebytes users are protected from the domains used in this attack. Stay safe out there!